Bug 1227560 (CVE-2024-36138) - VUL-0: CVE-2024-36138: nodejs: bypass incomplete fix of CVE-2024-27980
Summary: VUL-0: CVE-2024-36138: nodejs: bypass incomplete fix of CVE-2024-27980
Status: RESOLVED INVALID
Alias: CVE-2024-36138
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-09 09:55 UTC by Andrea Mattiazzo
Modified: 2024-07-17 08:30 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrea Mattiazzo 2024-07-09 09:55:25 UTC 
The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

This vulnerability affects all users of child_process.spawn and child_process.spawnSync on Windows in all active release lines.

Impact:

This vulnerability affects all Windows users in active release lines: 22.x, 20.x, 18.x
Comment 1 Andrea Mattiazzo 2024-07-09 09:56:17 UTC 
Closing since it affects only windows users.
Comment 3 Maintenance Automation 2024-07-16 08:30:01 UTC 
SUSE-SU-2024:2496-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1222665, 1227554, 1227560
CVE References: CVE-2024-22020, CVE-2024-27980, CVE-2024-36138
Maintenance Incident: [SUSE:Maintenance:34774](https://smelt.suse.de/incident/34774/)
Sources used:
Web and Scripting Module 12 (src):
 nodejs18-18.20.4-8.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Maintenance Automation 2024-07-17 08:30:02 UTC 
SUSE-SU-2024:2543-1: An update that solves six vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1227554, 1227560, 1227561, 1227562, 1227563
CVE References: CVE-2024-22018, CVE-2024-22020, CVE-2024-27980, CVE-2024-36137, CVE-2024-36138, CVE-2024-37372
Maintenance Incident: [SUSE:Maintenance:34775](https://smelt.suse.de/incident/34775/)
Sources used:
openSUSE Leap 15.5 (src):
 nodejs20-20.15.1-150500.11.12.2
Web and Scripting Module 15-SP5 (src):
 nodejs20-20.15.1-150500.11.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2024-07-17 08:30:06 UTC 
SUSE-SU-2024:2542-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1222665, 1227554, 1227560
CVE References: CVE-2024-22020, CVE-2024-27980, CVE-2024-36138
Maintenance Incident: [SUSE:Maintenance:34773](https://smelt.suse.de/incident/34773/)
Sources used:
openSUSE Leap 15.4 (src):
 nodejs18-18.20.4-150400.9.24.2
openSUSE Leap 15.5 (src):
 nodejs18-18.20.4-150400.9.24.2
Web and Scripting Module 15-SP5 (src):
 nodejs18-18.20.4-150400.9.24.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.